In order to vote, comment or post rants, you need to confirm your email address.
You should have received a welcome email with a confirm link when you signed up. If you can't find the email, click the button below.

I love this. I really do. At the start I hated it but he welcomed the change, as a teacher (I'm not) I would be very proud that my students questioned me. Especially in this field, data security is a real deal. Teach it early and stop bad practices

I'm not entirely on your side. You don't need to learn every detail on the first go. It could be overwhelming for some. Tough it depends on what the actual topic at hand was. Also I agree he should at least emphasise that's the wrong way to do it.

I once went through the codebase of the FosUserBundle and was surprised to see a for loop over the hash comparison instead of `generatedPaaswordHash == storedHash`.

It turns out that they want to enforce that the password comparison process takes the same amount of time when hacker tries to do a timing attack. (foo == bar would be false quickly, bao == bar would be false less quickly).

Security is hard.

Really makes you think if you should implement your own user management (spoiler: you shouldn't). It's worth reading the implementation though if you ever have to. You won't think of all vectors of attack.

I'm just thinking from the teachers perspective here, they came to teach you about SQL, not security. They might not actually understand the aspects of security you do, they mightn't have even heard of hashing. My point is, you don't know, and you risk making them look bad, and while I can understand it would feel good being right, that security should be mentioned, it's not their job to make sure you don't get hacked.

They're teaching you how to make queries, they're teaching you SQL, and if the course structure just so happens to have separated SQL and security, then they will not teach that, though while I agree a mention would be great, in my personal opinion, it would have been better to keep the thought to your fellow students rather than getting the teacher to, you did the mention, best leave it at that, eh? :)

That said - it's not black or white, there are truths to each side, keep up the great job ranting! 😁

Dude... Lol ... I did all my programming courses in University and never heard about sql injection nor design patterns not even a glimpse on what security is. The shit they teach us in these universities is beyond obsolete!